Configuring server-to-server SSL connections

You can configure a high-availability data replication (HDR) primary server, an HDR secondary server, a shared disk (SD) secondary server, a remote stand-alone secondary (RSS) server, an Enterprise Replication node, or a server involved in a distributed transaction connection for Secure Sockets Layer (SSL) connections.

Before you begin

Both servers must be enabled with a mutual TLS version. Set the TLS version on the server with the TLS_VERSION configuration parameter.

About this task

Note: Transport Layer Security (TLS) is the successor to SSL. In this documentation, the same information applies to TLS as to SSL.
To configure HDR servers, Enterprise Replication nodes, or servers involved in a distributed transaction:

Procedure

  1. Configure each server for SSL connections. Follow the steps in Configuring a server instance for secure sockets layer connections.
  2. In each server keystore, add the root digital certificate that the Certificate Authority (CA) issued to the other servers to the server keystore.

Example

For example, suppose you have three servers: serv1 (the primary server), serv2 (the secondary server), and serv3 (a shared disk secondary server). Each server has its own keystore and digital certificate (serv1.kdb and serv1_label, serv2.kdb and serv2_label, serv3.kdb and serv3_label).

Add the root certificates that the Certificate Authority (CA) issued to each server to the other servers, as follows.

  1. Add the root certificates issued to serv2 and serv3 to the serv1 keystore.
  2. Add the root certificates issued to serv1 and serv3 to the serv2 keystore.
  3. Add the root certificates issued to serv1 and serv2 to the serv3 keystore.
Note:
  • Follow your company policies to obtain certificates. For more details, refer GSKCapiCmd User's Guide ftp://ftp.software.ibm.com/software/webserver/appserv/library/v80/GSK_CapiCmd_UserGuide.pdf